Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

Phone Authentication Isn't

[mentil]

Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

Re:Phone Authentication Isn't

[msauve]

"Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number."

Well, no.

The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was just trying to misplace blame. But, if the carrier was social engineered to do a number transfer, the onus is on them. Number portability should require effort, for good reason.

Banks are, by law, supposed to require two factor authentication. (Crypto is the WWW - Wild Wild West). Unfortunately, the rules allow one factor to be the the device used to access the account (e.g. web cookies). That makes it too easy for both factors to be present on a single device (re: password managers). Multi-factor authentication only really works if the factors are forced to be physically separate.

Maybe

[Murdoch5]

It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.

However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.

This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

Re:Say what?

[mysidia]

WTF does the price of Bitcoin have to do with it?

The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

I was expecting to favor the phone company

[gurps_npc]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

This guy took the appropriate steps, the phone company should pay up.

If you say you have security on your account but do not actually put it in, then you owe the customer money